From 90c7efc8f233100557514b01f37d50531afbfa46 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Sat, 1 Aug 2009 00:30:13 +0900
Subject: [PATCH] otvalid: Prevent an overflow by GPOS/GSUB 32b-bit offset.

---
 ChangeLog             | 11 +++++++++++
 src/otvalid/otvgpos.c |  3 ++-
 src/otvalid/otvgsub.c |  3 ++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3a45c7e8f..b6b59f9b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2009-07-31  suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
+	otvalid: Prevent an overflow by GPOS/GSUB 32b-bit offset.
+
+	* src/otvalid/otvgpos.c (otv_ExtensionPos_validate):
+	Extend ExtensionOffset from FT_UInt to FT_ULong, to
+	cover 32-bit offset on 16-bit platform.
+
+	* src/otvalid/otvgsub.c (otv_ExtensionSubst_validate):
+	Ditto.
+
 2009-07-31  suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
 
 	ftobjs.c: Prevent an overflow in glyph index handling.
diff --git a/src/otvalid/otvgpos.c b/src/otvalid/otvgpos.c
index 53025ec5e..c8b42213c 100644
--- a/src/otvalid/otvgpos.c
+++ b/src/otvalid/otvgpos.c
@@ -911,7 +911,8 @@
     {
     case 1:     /* ExtensionPosFormat1 */
       {
-        FT_UInt            ExtensionLookupType, ExtensionOffset;
+        FT_UInt            ExtensionLookupType;
+        FT_ULong           ExtensionOffset;
         OTV_Validate_Func  validate;
 
 
diff --git a/src/otvalid/otvgsub.c b/src/otvalid/otvgsub.c
index f01fca1e8..ed499d1e9 100644
--- a/src/otvalid/otvgsub.c
+++ b/src/otvalid/otvgsub.c
@@ -415,7 +415,8 @@
     {
     case 1:     /* ExtensionSubstFormat1 */
       {
-        FT_UInt            ExtensionLookupType, ExtensionOffset;
+        FT_UInt            ExtensionLookupType;
+        FT_ULong           ExtensionOffset;
         OTV_Validate_Func  validate;